On Thu, May 28, 2015 at 10:42:09AM -0700, Rich Wales wrote: > [...] > I think what might be happening in some cases is that a new spam site > sends me something (which I accept because the site is new and hasn't > made it onto any DNSBLs yet) -- and soon thereafter, that site gets > picked up by Spamhaus and other DNSBLs -- but I'll continue to accept > mail from the site because I saw (and whitelisted) the site before the > DNSBLs started blacklisting it, and postscreen is going to cache that > whitelisting for several more days.
Note that Spamhaus have repeatedly decreased their TTLs recently, and are now running with a 60 seconds positive caching TTL and a 10 seconds negative caching TTL for SBL (including CSS) and the DBL (the domain list), that are the two databases targeting 'snowshoe' spammers. This suggests the time scales involved nowadays. There are spammers out there that fire from a specific IP and a specific domain for something like 1 minute, with tremendous intensity. Then that IP and that domain go dark forever - they live on the Internet for just one hot minute, burning their reputation in a short blaze. Of course they have plenty of IPs and plenty of domains. You really do not want to cache negative listing information for days or hours. furio
